<html>
<head><meta charset="utf-8"><title>Out-of-thin-air · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html">Out-of-thin-air</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="178007888"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178007888" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178007888">(Oct 12 2019 at 21:47)</a>:</h4>
<p><span class="user-mention" data-user-id="132920">@gnzlbg</span> </p>
<blockquote>
<div class="codehilite"><pre><span></span> FYI the latest revision 1 of the paper suggests that there is consensus on what the fixed semantics of relaxed ought to look like, but since that&#39;s a backward incompatible change that software and hardware vendors might need time to adapt to, it proposes to add a new memory order called load_store instead.
</pre></div>


</blockquote>
<p>I'll wait until someone formalized <code>load_store</code> then and fixed the bugs that so far were always present when models were suggested that did not come with theorems... ;)</p>



<a name="178008107"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008107" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008107">(Oct 12 2019 at 21:53)</a>:</h4>
<p>That paper says that this happened already in <a href="http://plv.mpi-sws.org/scfix/paper.pdf" target="_blank" title="http://plv.mpi-sws.org/scfix/paper.pdf">http://plv.mpi-sws.org/scfix/paper.pdf</a></p>



<a name="178008163"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008163" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008163">(Oct 12 2019 at 21:55)</a>:</h4>
<p>my reading of the paper is that the SCfix paper suggested one fix but they are suggesting a variant of that, or so? maybe I misread, I only skimmed it</p>



<a name="178008176"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008176" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008176">(Oct 12 2019 at 21:55)</a>:</h4>
<p>and also I think we need an operational model to make any sense out of all of that</p>



<a name="178008180"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008180" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008180">(Oct 12 2019 at 21:55)</a>:</h4>
<p>I haven't read this other paper yet, so I can't tell if the solution proposed there is the same as the one in the iso paper</p>



<a name="178008220"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008220" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008220">(Oct 12 2019 at 21:56)</a>:</h4>
<p>I mean, C++11 defines a notion of data race using a graph of the <em>whole program execution</em> while at the same time saying data races are UB, which makes it impossible to even say what the program does when executed!</p>



<a name="178008223"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008223" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008223">(Oct 12 2019 at 21:56)</a>:</h4>
<p>this is all awfully broken :(</p>



<a name="178008234"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008234" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008234">(Oct 12 2019 at 21:57)</a>:</h4>
<p>this relates to your "clobber" question actually</p>



<a name="178008245"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008245" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008245">(Oct 12 2019 at 21:57)</a>:</h4>
<p>maybe wrong thread?</p>



<a name="178008287"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008287" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008287">(Oct 12 2019 at 21:58)</a>:</h4>
<p>not really, this is my "ranting about C++ concurrency" thread ;)</p>



<a name="178008290"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008290" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008290">(Oct 12 2019 at 21:58)</a>:</h4>
<p>ah ok, then go ahead :P</p>



<a name="178008308"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008308" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008308">(Oct 12 2019 at 21:59)</a>:</h4>
<p>my personal rant is that it is impossible to explain the C++ concurrency to anybody, because nobody understands it</p>



<a name="178008309"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008309" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008309">(Oct 12 2019 at 21:59)</a>:</h4>
<p>"clobber" isn't the effect the code has, it's the <em>bound</em> on the effect. like, if we have a proper operational spec of everything, we can say that the compiler has to assume that the inline assembly <em>somehow</em> alters the machine state, subject to constraints X, Y, Z. so the answer to your question would be "a inline assembly block <em>could</em> cause a data race" (and therefore move the machine to the UB-error state). but it also couldn't, and the compiler has to do something that's correct for <em>any possible</em> action of the inline assembly block.</p>



<a name="178008311"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008311" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008311">(Oct 12 2019 at 21:59)</a>:</h4>
<p>this may be vague but if I am sure this can be made precise. I just need to throw some greek at it.</p>



<a name="178008367"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008367" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008367">(Oct 12 2019 at 22:00)</a>:</h4>
<p>but with an axiomatic model... you can't do anything like that, I don't think. you're just stuck.</p>



<a name="178008371"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008371" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008371">(Oct 12 2019 at 22:00)</a>:</h4>
<blockquote>
<p>"a inline assembly block could cause a data race (and therefore move the machine to the UB-error state). but it also couldn't, and the compiler has to do something that's correct for any possible action of the inline assembly block.</p>
</blockquote>
<p>That's not really what I was hoping or thinking</p>



<a name="178008383"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008383" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008383">(Oct 12 2019 at 22:01)</a>:</h4>
<p>I was hoping that <code>clobber</code> means that the inline assembly block could alter the machine state, but only in ways that do not cause an error in the abstract machine</p>



<a name="178008431"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008431" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008431">(Oct 12 2019 at 22:02)</a>:</h4>
<p>why not? seems like the natural spec to me: the annotations at the inline assembly block basically form a specification for the operation in there. it's like a Hoare triple. the compiler may assume that that spec is correct, but it may not assume anything else about what that block does.</p>
<p>I just dont know how to explain this to people that haven't done interactive program verification in a Hoare logic...^^</p>



<a name="178008440"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008440" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008440">(Oct 12 2019 at 22:03)</a>:</h4>
<blockquote>
<p>I was hoping that <code>clobber</code> means that the inline assembly block could alter the machine state, but only in ways that do not cause an error in the abstract machine</p>
</blockquote>
<p>well that's what I said. the compiler will always assume that we haven't reached the UB-error state.</p>



<a name="178008446"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008446" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008446">(Oct 12 2019 at 22:03)</a>:</h4>
<p>the thing is the compiler can't prove that the inline block doesn't cause a data race</p>



<a name="178008449"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008449" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008449">(Oct 12 2019 at 22:03)</a>:</h4>
<p>it also may not assume that it does cause a race</p>



<a name="178008493"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008493" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008493">(Oct 12 2019 at 22:04)</a>:</h4>
<p>so it can assume that it does not ?</p>



<a name="178008498"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008498" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008498">(Oct 12 2019 at 22:04)</a>:</h4>
<p>yeah</p>



<a name="178008499"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008499" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008499">(Oct 12 2019 at 22:04)</a>:</h4>
<p>its not like inline assembly can make UB legal</p>



<a name="178008519"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008519" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008519">(Oct 12 2019 at 22:05)</a>:</h4>
<p>yeah</p>



<a name="178008570"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008570" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008570">(Oct 12 2019 at 22:06)</a>:</h4>
<p><a href="https://llvm.org/docs/LangRef.html#clobber-constraints" target="_blank" title="https://llvm.org/docs/LangRef.html#clobber-constraints">https://llvm.org/docs/LangRef.html#clobber-constraints</a> </p>
<p>The actual clobber constraint is <code>~{memory}</code>, which means:</p>
<blockquote>
<p>indicates that the assembly writes to arbitrary undeclared memory locations – not only the memory pointed to by a declared indirect output.</p>
</blockquote>
<p>So it makes sense to me that this is ok as long as those writes do not cause a race.</p>



<a name="178008576"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008576" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008576">(Oct 12 2019 at 22:07)</a>:</h4>
<p>OTOH I doubt they mean <em>arbitrary</em></p>



<a name="178008584"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008584" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008584">(Oct 12 2019 at 22:07)</a>:</h4>
<p>like, memory that never had its address escape?</p>



<a name="178008591"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008591" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008591">(Oct 12 2019 at 22:07)</a>:</h4>
<p>maybe not that arbitrary, but you can get the stack pointer, and do... whatever you want</p>



<a name="178008636"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008636" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> comex <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008636">(Oct 12 2019 at 22:08)</a>:</h4>
<p>but you can't overwrite random variables that never had their address taken</p>



<a name="178008638"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008638" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> comex <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008638">(Oct 12 2019 at 22:08)</a>:</h4>
<p>well, you <em>can</em>, but it would be silly for the compiler to guarantee correct execution in that case</p>



<a name="178008640"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008640" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008640">(Oct 12 2019 at 22:08)</a>:</h4>
<p>even if the write isn't completely arbitrary, the compiler has to assume that the assembly block could write to a location that could cause a race</p>



<a name="178008648"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008648" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008648">(Oct 12 2019 at 22:08)</a>:</h4>
<p>this stuff gets really "fun" to specify formally when you think of the assembly block doing some action that disturbs the Rust AM abstraction, like page table manipulation, <em>while other AM threads are running</em>. the assembly has a proof obligation here to not break the abstraction... this becomes very compiler-specific quickly (I guess that's expected)</p>



<a name="178008649"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008649" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008649">(Oct 12 2019 at 22:08)</a>:</h4>
<p>and, e.g., consider that when consider whether memory operations can be re-ordered across an inline assembly block</p>



<a name="178008655"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008655" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008655">(Oct 12 2019 at 22:09)</a>:</h4>
<p>so in a sense, an inline assembly block with a <code>~{memory}</code> clobber must synchronize</p>



<a name="178008657"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008657" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008657">(Oct 12 2019 at 22:09)</a>:</h4>
<blockquote>
<p>and, e.g., consider that when consider whether memory operations can be re-ordered across an inline assembly block</p>
</blockquote>
<p>the compiler will reorder accesses to unescaped locals around unknown code</p>



<a name="178008658"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008658" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> comex <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008658">(Oct 12 2019 at 22:09)</a>:</h4>
<p>GCC documentation:</p>



<a name="178008659"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008659" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> comex <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008659">(Oct 12 2019 at 22:09)</a>:</h4>
<p>"memory"<br>
The "memory" clobber tells the compiler that the assembly code performs memory reads or writes to items other than those listed in the input and output operands (for example, accessing the memory pointed to by one of the input parameters). To ensure memory contains correct values, GCC may need to flush specific register values to memory before executing the asm. Further, the compiler does not assume that any values read from memory before an asm remain unchanged after that asm; it reloads them as needed. Using the "memory" clobber effectively forms a read/write memory barrier for the compiler.</p>
<p>Note that this clobber does not prevent the processor from doing speculative reads past the asm statement. To prevent that, you need processor-specific fence instructions.</p>



<a name="178008660"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008660" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008660">(Oct 12 2019 at 22:09)</a>:</h4>
<p>which can contain inline assembly</p>



<a name="178008665"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008665" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> comex <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008665">(Oct 12 2019 at 22:09)</a>:</h4>
<p>just for reference.</p>



<a name="178008712"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008712" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008712">(Oct 12 2019 at 22:10)</a>:</h4>
<p>so inline assembly still may not just get the stack ptr and mess with spilled local variables or so</p>



<a name="178008716"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008716" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008716">(Oct 12 2019 at 22:10)</a>:</h4>
<p>that's another aspect of "maintaining the abstraction"</p>



<a name="178008717"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008717" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> comex <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008717">(Oct 12 2019 at 22:10)</a>:</h4>
<p>indeed</p>



<a name="178008733"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008733" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008733">(Oct 12 2019 at 22:11)</a>:</h4>
<p><em>within</em> the AM that relies on allocator non-determinism.  so that'll somehow have to be extended far enough down the stack here...</p>



<a name="178008779"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008779" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008779">(Oct 12 2019 at 22:12)</a>:</h4>
<p>or maybe "escaped" actually becomes a manifest piece of state in some lower level of the Rust AM -- the version of that AM that assembly interacts with. that might be easier.</p>



<a name="178008782"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air/near/178008782" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Out-of-thin-air.html#178008782">(Oct 12 2019 at 22:12)</a>:</h4>
<p>anyway I am rambling and should be sleeping. good night!</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>